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[57] ABSTRACT 

An issuer offers any type of service secured with a secret 
cryptographic key assigned to an applicant according to the 
present invention, which includes a secret key registration 
process. Usually, the secret key will be loaded on a portable 
memory device or other secret key store of the applicant. As 
preliminary steps, the issuer sets up its public key for the 
Probabilistic Encryption Key Exchange (PEKE) 
cryptosystem, and the applicant obtains a copy of a secret 
key registration software, a copy of the issuer's public key, 
and an uninitialized portable memory device. Once initiated 
by the applicant, the registration software generates an 
internal PEKE secret key. The applicant chooses a registra- 
tion pass query and pass reply that the registration software 
MACs and encrypts with a key derived from the PEKE 
secret key. The registration software derives the key 
assigned to the applicant from the PEKE secret key, and 
loads it into the secret key store. A message is sent to the 
issuer data processing center where the cryptographic pro- 
cessing (PEKE, MAC, encryption) is reversed. Using an 
alternate channel (e.g. telephone conversation) an issuer 
agent verifies the identity of the applicano: the agent asks the 
pass query, the applicant replies with the pass reply, and the 
issuer verifies the applicant's knowledge of some relevant 
personal data. Hie issuer agent can approve the applicant's 
registration in the issuer database. There is no need for the 
issuer to personalize either the software or the secret key 
store before delivery to the applicant, and there is a single 
personal contact between the applicant and the issuer agent. 

15 Claims, 3 Drawing Sheets 
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INITIAL SECRET KEY ESTABLISHMENT chain of evidence is a two-tiered authentication bind: 1) the 

INCLUDING FACILITIES FOR logical bind between the account holder (or me account 

VERIFICATION OF IDENTITY holder agent) and a cryptographic operation performed by a 

digital apparatus, and 2) the bind between this said crypto- 
The present application claims priority of U.S. provi- 5 graphic operation and the transaction historic records of tiie 
sional patent application Ser. No. 60/046,047 filed May 9, financial institution Within its scope of a registration 
1997 and of PCT/CA97/00431 filed May 7, 1998, desig- process, the present invention addresses these two aspects of 
nating the United States and now pending in the interna- transaction authentication. 

tional phase. The distinction between "secret key cryptography" and 

io "public key cryptography" is well known in the prior art. In 
FIELD OF THE INVENTION the present disclosure, we reserve the term "secret" to data 

„ . „ - shared in confidence between parties in a secret key cryp- 

The present invention generally re ates to cr^tog aphic arrangement) and respectively the terms "private- 

key management that is required for the implementation of J P* £ ^ ^ components of a 

secure data communications or transaction processing. More ^ V blickey pair V oE the type used for digital signatures 

^Pf^y.**^^^^^^"^^ or pubUc key encryption from the field of public key 
after security breach), the very first shared secret key toeraohv 
between two parties (e.g. a client and a financial institution crv P " p y- 

in an on-line banking service arrangement). This registration The elementary cryptographic operation used m transac- 
process encompasses human activities by the parties' agents tion authentication car .be DES encryption of a secret 
for the verification of identity. The present invention facili- 20 Personal Identification Number (PIN) entered at a Point of 
tates these human activities by a novel and unique arrange- Sale terminal (POS terminal) with cryptographic integrity 
ment of automated operations, notably cryptographic trans- protection applied to the whole transaction (typically wrfh a 
formations. The present invention also relates to the secure Message Authentication Code based on DES and a secret 
loading of cryptographic key material in hand held memo- key). In that case, a long-term secret key has to be estab- 
ries m me fom of Jart cards, security tokens, and the like. 25 lished initially between toe POS terminal and he data 
Although the present invention uses public key cryptogra- Passing center responsible for transactions initiated from 
phy primitives, it does not assist the establishment of a this POS terminal (normally under the control of the mer- 
private/public key pair of the type used for digital signatures chant's financial institution) This long-term secret key is of 
or public key encryption. The present invention does not the type that can be established with the present invention 
dl with the derivation of a session key or a one-time 30 U.S. Pat. No. 4,771,461 discloses a procedure for this secret 
password from either a preset shared secret key, or a preset key establishment. 

secret password. This prior art of U.S. Pat. No. 4,771,461 suffers from a 

number of intrinsic limitations. First and foremost, there is 
BACKGROUND OF THE INVENTION me following explicit security weakness (column 16 lines 1 

For the deployment of electronic commerce and on-line to 6): "The general exposure of the procedure - is _ that an 

ru we ucpujfm^ . „• M „f opponent can always initiate a successful sign-on from his 

banking services information security piques are of PP £ d ^ ^ ^ 

paramount importance. As will be seen from the prioi ^art gns on before T2 and does not report this to the KDC 

cited hereafter, they are also .mportan for the protection o D ? tribution Center]. In that case, the fake terminal can 

computer networks and the authentication of subscribers of 40 l M J j„j.i m -,.i„ >• 

m obL telephone serv^ conunue to operate mdefimtely. 

organization of such electronic authentication applications, More generally, the procedure of U.S Pat. No. 4,771 461 

despite the diversified vocabulary used in different applica- appears outdated when one considers the level of sopmsti- 

tion areas. There is first a central database under the opera- cation reached by adversaries of actual cryptosystems. See 

tional control of a service organization whose trustworthy 4 5 &r instance the article by Ross J. Anderson, Liability and 

ness is commensurate with the issues at stake. Then, there Computer Security: Nine Principles (in Computer 

are the potential clients, individuals or organizations. The Security-Esorics '94, Third Eu x r T °P ean u S ^P°f™ ^ 

general function of a registration process is to make a given Research in Computer Security, November 1994, LNCS 

client known by the service organization in such a way that 875, Springer Verlag, PP 231-245), the article by Martin 

the subsequent routine processing of transactions is auto- 50 Abadi, and Roger Needham, Prudent Engineering Practice 

mated and efficient. The clients have access to electronic for Cryptographic Protocols (in 1994 IEEE Symposium on 

apparatus through which they conduct their ordinary activi- Research in Security and Privacy, IEEE, 1994, PP 122-136), 

ties A registration process provides the client with secret and the article by Ross J. Anderson, and Roger Needham, 

authentication information. This secret can be a Personal Robustness Principles for Public Key Protocols (in 

Identification Number (PIN), a private key for a digital 55 Advances in Cryptology, CRYPTO' 95, LNCS 963, Sponger 

signature algorithm, or a secret cryptographic key shared Verlag, 1995, PP 236-247). Nonetheless, U.S. Pat No. 

between the client and the service organization. While a PIN 4,771,461 has the merit of stressing the importance of data 

can be remembered by a normal person, the two other forms integrity protection for the initial establishment of crypto- 

of authentication secret require a digital memory of some graphic keys. 

sort. The present invention is mainly concerned with the 6 o There are also operational limitations in the procedure of 

registration process when a shared secret authentication key U.S. Pat. No. 4,771,461. Despite the acknowledgment that 

is used. courier services for secret key distribution are expensive and 

Ultimately, transaction authentication is effective if it burdensome, it is not clear how courier services can be 

secures the legal tie or bind between a bank account with- avoided altogether. They may be required because the POS 

drawal and the account holder's liability, while barring 65 terminals can be loaded with a terminal identifier and/or a 
access to the funds by defrauders. Since the account holder public key at a central location. Courier services or another 
is a legal person rather than a digital apparatus, the required form of alternate secure channel may also be required for 
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some instructions to a person because these instructions may Working Draft ANSI standard X9 30-X99x Public Key Cryp- 

SSvc ii&iLtiDn specific to each POS terminal. tography Using Irreversible Algorithm for the Financial 

^eover^ee^citoperaJnatde^ ^Sfi^KS^S 

prior art have a negative impact on the value of the proce- g^gc ^ 

dures - Washington, D.C., Nov. 19, 1994 document N24-94). The 
The U.S. Pat. No. 5,784,463 uses public key cryptography present invention alleviates the traditional burden of secret 
to establish some long term cryptographic keys in a manner k distribution, and thus suggests the avoidance of the 
analogue to U.S. Pat, No. 4,771,461, but it lacks facilities for pubUc key infrastructure described in the mentioned Work- 
verification of identity such as the time windows in U.S. Pat. . Draft stanc j arc i X9.30-199*. Indeed, the financial 
No. 4,771,461. In other words, the U.S. Pat. No. 5,784,463 1° mdustry has been operating on a centralized trust model for 
embeds no procedural countermeasure against the threat of decades and the adoption of public key paradigms may be 
theft of identity. Without any such countermeasure, a would- expecte d to remain low. 

be defrauder simply needs the electronic version of identi- Turning now to the logical bind between the account 
fication information needed for registration in order to ^ ^ account holder agenl) and a cryptographic 
attempt an impersonation attack. operation performed by a digital apparatus, one way to let 
The U.S. Pat. No. 5,216,715 on lines 14 to 18 on column the account DO lder control the use of a cryptographic key is 
5 (and on lines 16 to 23 on column 6) refers to a known tQ store lt on a nand ne j d memory device in credit card 
procedural protection used for remote user authentication at format, or in a format suitable for attachment on a key ring, 
the outset of a telephone call, just after some session key or any otner small s j ze format. Thus, the account holder is 
establishment protocol, that is the verbal confirmation that re heved from the obligation to control the access to a fixed 
some check value agree on both ends of the telephone call. apparatus like a computer system, or a luggage-size appa- 
The assurance provided by this procedural authentication ratus ^ e a p 0r table personal computer. When the hand-held 
step is valid for the duration of the telephone call only. For memory device contains intrinsic data access control 
a security system to be as unintrusive as possible, routine ^ features, it falls into the smart card category. This usually 
operations such as a telephone call setup should use fully requires a rudimentary microprocessor along with the 
automated security mechanisms; procedural steps should be memory device. With further sophistication, a hand held 
used sparingly, e.g. to the initial registration of legitimate electronic device may embed sufficient processing power 
users of the system. Indeed, the procedural step for remote and/or memory to be perform complete cryptographic opera- 
telephone operator identification as in U.S. Pat. No. 5,216, ^ tions j n tne i atter case> tne sec urity is enhanced by avoiding 
715 is typical of very high security telephone sets. In me threat of m alignant software modifications. The present 
addition, the procedural verification of identity in U.S. Pat. invention facilitates the establishment of the secret key to be 
No. 5,216,715 does not work if the call is established with i oa ded on hand held devices where the prior art required the 
a voice mailbox. use of centralized key loading facilities, and/or secure trans- 
In the field of wireless subscriber registration, the U.S. 35 mission of secret keys using trusted courier services. The 
Pat. No. 5,077,790 discloses a procedure based on the present invention may allow the avoidance of centralized 
establishment of a "key code" that is a secret key shared sm art card personalization operation, 
between a portable telephone and the network controller. jh e centralized trust model typical of the financial indus- 
Upon verification of the applicant's credit, an help desk try j s assumed by the United States regulatory environment 
agent provides a "link identification number" that binds the m f or consumer protection in the case of electronic fund 
credit approval to the subsequent download of the definitive transfers. The field of the present invention is more specifi- 
"subscriber identification number", this download being cai [ y covered by EFTA, Electronic Fund Transfer Act, Title 
cryptographically protected with the initial "keycode". This jx of the Customer Credit Protection Act, (15 U.S.C. §1601 
procedure is inconvenient due to the manual operations et se q ) an d Regulation E, Electronic Fund Transfers, (12 
involved in the establishment of the "key code" and might 45 c.RR. §205) Section 205.5 which deals with the issuance of 
be vulnerable to eavesdropping because every security criti- access devices used for customer-initiated EFT. In some 
cal information is transmitted over the air and while no circumstances and according to these rules, a secret key 
public key cryptography is involved. (established with the help of cryptographic protocols) may 
In many cases, security systems features create more fall under the legal definition of an access device. In such a 
inconvenience to the users than effective protection. This is 50 case, a verification of the customer identity is prescribed as 
the case in the U.S. Pat. No. 5,386,468 that discloses an a condition for the final validation of the secret key for EFT 
electronic identification registration procedure where the transactions. An object of the present invention is to facili- 
typing of user application information on a communication tate the issuance (of access devices) complying with the 
terminal keyboard is duplicated by filling a user application EFTA Regulation E or similar rules, 
form and mailing it. This duplicate work is inconvenient ss a difficulty with key management methods that require 
because the paper processing actually delays the reply in the centralized configuration or personalization is the implied 
query/reply protocol used for registration. One can assume restrictions on the channels of distribution. For consumer 
that U.S. Pat. No. 5,386,468 is practiced without the proce- electronics, computer products, and software devoid of 
dural step (paper processing) for which no clear purpose is security functions, a myriad of channels are possible: cata- 
disclosed. In any event, the key management burden in the 60 bg sales, retail stores, large discounters, and the like, the list 
manufacturing and distribution of terminals is significantly being endless. If an item (like an access device for an EFT 
higher in U.S. Pat. No. 5,386,468 than in U.S. Pat. No. service) has to be prepared for a specific customer by trusted 
4 771 461. personnel according to procedures dictated by a financial 
' Ihe elementary cryptographic operation used in transac institution, the possible channels of distribution arc very 
tion authentication can also be a digital signature from the 65 few, if any, besides courier shipment by the financial insu- 
field of public key cryptography, in which case a represen- tution. U.S. Pat. No. 5,557,679 is an attempt to use retail 
tative description of the prior art may be found in the outlets for the distribution of subscriber identity modules 
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(portable memories used for mobile telephone subscriber Experts-Conseils Inc., Montreal, Canada, March 1996, with 

authentication). The present invention broadens the choices legal deposits in the National Library of Canada, where it 

of acceptable channels of distribution for authentication was not available to the public before April 1997, and in the 

devices National Library of Quebec, where it was made available to 

In U.S. Pat. No. 5,557,679, secret keys are pre-established * the public some time between November 1996 and January 

to "cure a networkof retail ocauons where L key loading ™T>- The PEKE cryptosystem ts based on the B um- 

operation is performed. There is no capability for the fully Goldwasser probabihsfc ^^^f^^. 

dLributed scenario where the target electronic devices are ^cle by Manuel Blum and Shafi Goldwasser, An Effi^erU 

remotely located from any (already) secured system. Secret ^baM^tu: Pubkc-key EncrypUon Scheme 

key schemes that avoid the use of courier services in a fully » All Pamal 'Informant > (,n Advances m gjMw 

distributed scenario are conceivable if the target electronic ™*>^* Crypto'84 Sprmger-Verlag 1985, pp 289-299) 

devices are already loaded with a common, fixed key The PEKE cryptosystem has been enclosed so far for 

"hidden by being included in the [device] programmable session key establishment with no facilities for the vcnfi- 

read only memofy (PROM) at manufacturing level", as in caUon of idenuty. Indeed transaction authentication using 

U.S. Pat No. 5,539,824. Such a scheme is generally con- H PEKE is suggested in the mentioned technical report by 

siderednotsosecure exceptperhapswhenolleredbyavery Thierry More au, but using a preset shared saret password 

remitable supplier as the basis for authentication, and PEKE for session key 

1 * r ' „ „ , n, . • establishment. For the present invention, the PEKE crypto- 

The famous Diffie-Helhnan cryptosystem described m of ^ tosystems> tbe oth6r two 

U.S. Pat. 4^00,770 and the recent smiilar proposals found * ^^on^ public key encryption (e.g. RSA, in U.S. 
in U.S. Pat. Nos. 5,583,939 and 5,375 169 do not provide M ^ ^ ^ ^ improvemeat to tae 

remote party authentication and secret key freshness simul- Diffie . H6 Uman key exchange in the mentioned article by 
taneously. Indeed the "public key" of a Diffie-Hellman ^ 
exchange is usually considered a short-lived cryptographic ' 

value, and the au^ ™ e commonly used public key Wto^ ™*^ 

exchange is not used. For instance, U.S. Pat. No. 5,020,105 25 metic operations on large in egerc and especially the modu- 
applies Diffie-Hellman to the task of establishing a secret ^ (*« of ™^ t *^}™^}^ 

authentication key, but does not provide facilities for veri- computations relatively efficient the use of the Montgomery 
ficationofaccounW modulo reduction algorithm % re ^yJ^^^P r 

load implied by the original Diffie-Hellman cryptosystem is f > ^K^tT ^- ,T tlS 
large, while the security of U.S. Pat. Nos. 5,583,939 and 30 lar MulnphcaUonWrtout TnaW^n £ ^™*»° f 
5 375,169 is questionable or uncertain. Hie recent article by computations, Vol. 44, no 170, April 1985, pp 519-522). 
UmHam,i>^^ Two implementation are 

using a one-way fiction (in Electronics Letters, Jan. 16, D« ^°*p^ 

1997, Vol. 33, No 2, pp. 25-126) discloses a noteworthy ^ Ma^ola D5i>56(W0 (m Advances m Cryptology, 

J ♦ . \ ■ tu n-ffi/ujin,^ CP u m(1 w uh 35 Eurocrypt^O, Lecture Notes In Computer Science no. 473, 
attempt a enhancing the Diffie-Hellman scheme with £W Springer-Verlag, 1990) and in the article by S. 

authen ication properties. E Eldridge and Colin D. Walter, Hardware Implementation 

It is logical that the disclosure in U.S. Pat. No. 4,771 461 Montgomery's Modular Multiplication Algorithm (in 

stresses the need for data integrity in the key loading IEEE Transactions on Computers, Vol. 46, no. 6, June 1993, 
operation, and at the same time uses a public key ^ 69 ^g 9 \ two detailed accounts of the Montgom- 

cryptosystem, RSA, with a long-term public key assigned to implementation are targeted, respectively, at 

the financial institution. This public key participates in the digital signal procesS ors with peculiar instruction sets, and at 
authentication of the financial institution to the benefit of the dedicated integrated circuit des i gn . Adaptations of this prior 
client-side of the secret key estabhshment. The security of ^ m ^ ^ Montgomery ai gor ithm is imple- 

this prior art depends on the unpredictability of the random 45 mented oq a d e ^ M ce8SOTm 

number source on the client-side. The use of random sources 

for cryptographic key material has been recognized as a SUMMARY OF THE INVENTION 

potential source of security flaws. According to the present invention, there is an "issuer", 

Any scheme where the client-side of the session key that is a service organization that registers "applicants". For 
establishment already has a long term public key is likely to 50 the issuer, it is reasonable and economically justified to 
address a need different from the present invention, based on maintain a computerized "database" of its customers, 
the premises of public key cryptography. U.S. Pat. No. account holders, clients or subscribers, where this database 
5,406,628 may be a good example. contains sensitive information, and to train personnel, or 

Last, but not least, is the disclosure by the present "issuer agents", to provide customerjervices with a relevant 
Applicant, of the Probabilistic Encryption Key Exchange 55 degree of integrity and loyalty. J he issuer daiabase is 
(PEKE) cryptosystem in Canadian patent application 2,156, secured using the known art of data processing security 
780 (entitled Apparatus and Method for Cryptographic Sys- where a single organization may exert effective control of 
tem Users to Obtain a Jointly Determined, Secret, Shared, the system security. Typically, this will include crypto- 
and Unique Bit String, filed on Aug. 23, 1995, laid-open to graphic processing capabilities closely associated with the 
the public on Sep. 23, 1995), in an article by Thierry 60 database in such a way that secret keys are not accessible to 
Moreau, Probabilistic Encryption Key Exchange (in Elec- issuer personnel. At the same time, the issuer agents are 
tronics 'Letters, Vol. 31, number 25, Dec. 17, 1995, pp typically provided with relevant customer data needed to 
2166-2168), and in a technical report by Thierry Moreau, respond to specific customer requests. The issuer agents 
Automated Data Protection for Telecommunications, Elec- typically access this data on a need-to-know basis through 
tronic Transactions and Messaging using PEKE Secret Key 65 on-line terminals with controlled access to software 
Exchange and Other Cryptographic Algorithms, Technology functions, and with auditing to deter or sanction frauds that 
Licensing Opportunity (revision 1.1, CONNOTECH agents might conceive or commit. 
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The present invention is an improved method for the 
establishment of a secret key shared in confidence between 
a digital memory possessed by an applicant and the issuer 
database, where no prior secret is available from which the 
desired secret key could be derived. The present invention 5 
may obviously be used to establish a secret key when a 
choice is made to ignore any prior secret, e.g. due to a 
suspected security breach. 

10 

The following table shows the preliminary steps needed 
for the present invention. The issuer arranges his own 
private/public key pair for a Public Key Cryptosystem 
(PKC) that is later used, in any number of secret key 
establishment instances, to protect a message transmission 
from the applicant's digital processor to the issuer data 
processing center where the issuer's private key may be 
used. At least three PKCs are acceptable: 1) conventional 
public key encryption, 2) the PEKE cryptosystem, and 3) the 20 
Lein Ham's improvement to the Diffie-Hellman key 
exchange. Each PKC has intrinsic properties that can lead to 
variations of the present invention. 



15 
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30 



35 



The issuer also prepares some application software that 
embeds an "applicant registration program" and a copy of 
the issuer's public key. The applicant obtains a copy of this 
application software from any type of distribution channel 
because there is no customization required at this stage. The 
applicant also obtains a portable memory device if the secret 
key is to be stored on such a device, again from any type of 
distribution channel. 



45 



50 



In an instance of secret key establishment, under the 
control of the applicant, the application registration program 
is executed by a digital processor. See the following table. 
This program generates a secret key, preferably not arbi- 
trarily but starting with one or more arbitrary numbers and 
then applying transformations mandated by the PKC in use 
and taking into account the issuer's public key, the said 
transformations preferably taking into account a first mes- 55 
sage according to the cryptosystem in use and issued by or 
on behalf of the issuer. When the PKC in use is conventional 
public key encryption, there is no first message. When the 
PKC in use is PEKE, the first message is the PEKE 
initiator's message and it may be issued by or on behalf of 
the issuer. When the PKC in use is the Lein Ham's improve- 
ment to the Diffie-Hellman key exchange, the first message 
must be issued by the issuer because it requires knowledge 
of the issuer's private key, and the transformations further 65 
include the abortion of the process upon the failure of a 
digital signature verification. 



60 



Once generated, part or all of this secret key is loaded into 
the portable memory device, if any, otherwise into a con- 
venient digital memory area. Alternatively, it may be dis- 
played to the applicant in human-readable form, in which 
case the applicant would presumably load this key into a 
separate apparatus having its own memory. 

Another function of the applicant registration program is 
to accept secret inputs chosen by the applicant and typed on 
a keyboard. The secret inputs preferably include a pass 
query. The secret inputs include a pass reply. According to 
the spirit of the present invention, the applicant should be 
instructed not to disclose the pass reply to anyone but to an 
issuer agent who preferably would first pronounce the pass 
query. 

The main role of the PKC in use is to provide protections 
for 1) the generated secret key, 2) preferably the pass query, 
3) the pass reply, and 4) optionally other data, during their 
transmission to the issuer data processing center. A PKC 
alone cannot conveniently provide all the required protec- 
tions. Accordingly, a hybrid public/secret key cryptosystem 
is needed. The details of this arrangement are influenced by 
the specific PKC in use in any embodiment of the present 
invention. The result of the hybrid public/secret key cryp- 
tosystem is put in a second message sent to the issuer data 
processing center. 

At the issuer data processing center, the second message 
is received and then the algorithms used for protection are 
reversed, notably using the issuer's private key. Upon failure 
of any verification, the process is aborted. Then the appli- 
cant's record in the issuer database is expanded to include 1) 
part or all of the generated secret key, 2) preferably the pass 
query, and 3) the pass reply. 

From then on, an issuer agent may be assigned the task of 
communicating with the applicant to verify the applicant's 
identity. See the following table. This communication 
should be two-way simultaneous like a telephone conver- 
sation or a personal visit to a branch of the issuer. The issuer 
data processing facilities display, or otherwise make avail- 
able in human understandable form, the information relevant 
to the verification of the applicant's identity, namely some 
identification data, preferably the pass query, and the pass 
reply. During this conversation, preferably the issuer agent 
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pronounces the pass query, allowing the applicant to recog- issuer program execution, the applicant record in the Ksuer 
Dize the agent as being authorized to verify his identity. database is updated with a fresh, yet to be validated secre 
Then, the applicant should pronounce the pass reply, while key registration, and the pass query and pass reply. As yet 
the issuer agent listens and verifies the pass reply. During another result of the issuer program execution, an issuer 
this conversation, the issuer agent generally verifies the 5 a g C nt may, at any time thereafter, be assigned the task of 
applicant's identity. The data processing facilities provide validating the applicant's identity with a personal conver- 
the agent with an input mechanism, e.g. an input field on a sation. 

computer screen, to enter the final acceptance or rejection of During the conversation between the applicant and an 
the registration. This causes a change in the status of the issuer agent according to the present invention, the present 
secret key in the issuer database. The pass query and pass 10 invention provides the issuer agent with the applicant infor- 
reply are not intended for further use after this verification ma tion needed for the verification of identity, namely per- 
of identity. sonal descriptive data (e.g. mother's maiden name and state 

of birth), pass query, and pass reply. The issuer agent should 

pronounce the pass query to the person he is speaking with, 

" 15 wa it for this person to pronounce the pass reply. In case this 

Issuer data processing A _ i;fW verification fails, the present invention provides the issuer 

^ tssucragcnt with means to flag the registration as being void. H» issuer 

Communicate applicant's Establish realtime, Establish realtime, a g ent snou ld give rapid warning to the legitimate applicant 

dat» cotttact ??™ y C0 T Ct v since in these circumstances an impostor could impersonate 

SrT^ PM8qW PronoUncepaSSqUery " 20 a user agent for this applicant. In the normal case where the 

an pass cep ^ p ro n 0 unce pass reply pass re ply verification is successful, and assuming that the 

verify applicant's Answer questions applicant did not reveal the pass reply to anyone, the issuer 

identU y , agent is assured that the person he is speaking with is the one 

^ S 8PP S w ho entered the pass query and reply when the applicant's 

_ . 25 secret key was generated. Then the issuer agent should 

check that this person knows, without unusual hesitation or 

Generally speaking, the present invention assists the ^precision, the descriptive data about the applicant. This is 
development of mutual recognition relationships between {h& ver i n cation of identity that binds the applicant to the 
the applicant and the issuer. Thus, an account of the trust soarea secret key established with the cryptographic proto- 
relationships through the recommended use of the invention 30 ^ If the veT jfl cat i oa 0 f identity is successful, the issuer 
may help its understanding. agent ^ assured that the person he is speaking with is indeed 

In a preferred embodiment of the present invention, the ^ ap pij can t for who the secret key registration was await- 
chain of recognition relationships starts with the applicant ing vacation in the issuer's database. The present invention 
receiving some software (e.g. in the form of an on-line tnus provides the issuer agent with means to flag the secret 
banking software package, or in the form of firmware within 35 kev re gistration as being accepted or validated. It is an object 
an electronic wallet) that he may recognize as genuinely of tne p resen t invention to offer a remote secret key initial- 
endorsed by the issuer, and that contains the public key of Nation and loading protocol with sensible identity verifica- 
the issuer stored with proprietary or semi-proprietary data tion p rocet j ure s. It is yet another object of the present 
integrity algorithm. Stated differently, the applicant believes invention to provide enhanced security in view of the 
that some software package or security device is not bogus, 40 su btleties of attacks to cryptographic protocols and algo- 
presumably because of its look and feel. What he believes rithms. It is yet another object of the present invention to 
genuine contains the public key of the issuer. Some obscure prov ide cost-effective customer registration procedures for 
method is used by what-he-believes-genuine to make sure ^ delivery of electronic transactions based on a secret 
no defrauder pasted his own public key in place of the authentication key. It is yet another object of the present 
issuer's public key. 45 invention to provide customer registration procedures f acili- 

When the applicant starts the applicant program, a new tat j n g me ^ G 0 f alternate channels for the distribution of 
secret key is generated locally. Also, the applicant's program devices used for authentication, 
sets input, from the applicant, for two secret phrases used lIirTKT ^ p 
only for registration purposes, namely a "pass query" (e.g. BRIEF DESCRIPTION OF THE DRAWINGS 

"Where did my father look when he was at the boarding so The present invention will be better understood by way of 
school?") and a "pass reply" (e.g. "My first car was brown ^ following detailed description of the invention with 
and rusty."), both of them being protected, along with the re f ere nce to the appended drawings, in which: 
newly generated secret key. The issuer's public key is used J fa ^ blDckdi mustratiD g the secret 

as the starting point of the protection mechanism. The resul estab{ishment meth od and system according to the 

is sent as the digital message from the applicant s digital ss invcntion . 

processor to the issuer's ^/"'^^^^^r FIG . 2 is a detailed block diagram instating the applicant 

them is an issuer agent; this level of assurance being FIG. 3 is a detailed block diagram illustrating the reversed 

proportional to the applicant's trust in the issuer's opera- so cryptographic processing done in the issuer data processing 

tional integrity. The applicant should be given clear instruc- center according to the present invention and the facilities 

tions to reveal the pass reply only to someone who just provided by the present invention for verification of identity, 

pronounced the pass query. DETAILED DESCRIPTION OF THE 

Upon receipt of the digital message from the applicant by INVENTION 

the issuer, the issuer program may be executed within the 65 ..... , • ,,-„„ „, 

issuer data processing facilities, where the private counter- Some operations required by the present invention are 

part of the issuer's public key is available. As a result of the performed by digital processors. Such operations are here- 
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after called "controlled computer operation" but are none- 
theless considered as acts of either the applicant or the 
issuer. In practice, these operations are performed by a 
computer or other electronic apparatus under the control of 
either the applicant or the issuer. The degree of effective 
control on any computer operation may influence the secu- 
rity of the whole secret key establishment method as some- 
one knowledgeable in the field of information system secu- 
rity will appreciate from the following description. 

The inputs and outputs of controlled computer operations 
are often stored in digital memories. Then, again, uninter- 
rupted possession and/or control over the use of these digital 
memories may influence the security of the whole secret key 
establishment method. When a digital memory is physically 
protected against unauthorized reading or modification, it 
becomes a "physically secure memory". 

It is well known in the field of cryptography and infor- 
mation security how a legitimate user reverses a given 
cryptographic function from the knowledge of the appropri- 20 
ate keys. Thus, the disclosure of the present invention does 
not require the same level of detail for the reversal of a 
cryptographic function as for the function itself. 

A public key cryptosystem (PKC) is at the heart of the 
proposed secret key establishment method. There are three 
possible PRC's, namely 1) any Public Key Encryption 
(PK-Encr) schemes, 2) the Probabilistic Encryption Key 
Exchange (PEKE), and 3) the Diffie-Hellman scheme as 
improved by Lein Ham (DH-Ham), For the PK-Encr case, 
the prior art is mature for a number of practical alternatives, 
notably RSA. For PEKE and DH-Ham, the prior art needs 
some precision for use in the present invention. PEKE is 
used in the preferred embodiment; provisions are made to 
exploit its efficiency as a public key cryptosystem for the 
applicant. The following "PKC specification table" portrays 
the use of each PKC in the present invention. For PK-Encr, 
the RSA cryptosystem is used as an example in the PKC 
specification table. For PEKE and DH-Harn, the PKC speci- 
fication table and the rest of the narrative specification are 
mutually agreeing. The mathematical notation for each PKC 
is independent from each other (e.g. the symbol "e" for 
PEKE bears no relation to the symbol number "e" for 
DH-Harn). As with most public key cryptosystems, all 
computations are made with integer arithmetic, and often 
with very large operands. The usual known art of algorith- 
mic number theory is implied. The symbol "|" represents 
concatenation of k-bit strings, and tacitly specifies a con- 
version from integer to bit string. Any of the following 
symbols should be read as if it was a one-letter symbol: 
x A -^» alpha, beta, mu, and nu. 
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TABLE 4-continued 



The PKC specification table. 



25 



30 



35 





RSA (PK-Encr) PEKE 


DH-Harn 


message 




where x A _ > B < C 


r - a mod p 






from private 
random k, s 
from signature 
equation (note 5) 


Verification 


n/a 


none 


Signature 


of first 






verification 


message 




w - BJBJ. . .|B t . a . 


equation (note 5) 


Internal 


Secret random 


r* mod p, 


secret key 


number k 


from secret 


from private 




random X B j i 
where Xb, < N/C 


random e 






(note 2) 


In(p)/In(2) 


Length of 


<In(N)/In(2) 


kx t 


internal key 






f » a* mod p 


Second 


c = k* mod N 


X, 


message 




(note 3) 




Verification 


none 


none 


of second 








message 




w = BjB 1 |...!B t _ li 


f* mod p 


Recovery of 


k = c d mod N 


internal 




from secret e, 




secret key 




(note 4) 





Note 1 : Preferably perform the pre- computation of integers a and b such 
that a x P + b x Q = 1, and alpha = ((P + l)/4)( ul > mod (P - 1), and beta 

- <(Q + l)/4) (w) mod (Q - 1). c t a rt 

Note 2: Compute x - (x B - (x B mod S)) x C + x A . >B xS + (x B mod S), 
Xq - x 2 mod N, x l+1 =■ xj 2 mod N, where i runs from 0 to t - 1, and B £ = 
x. mod 2*, where i runs from 0 to t -1. 

Note 3: Compute mu » (xt mod P)**** mod P, nu » (xt mod Q)*" mod 

Q, e - (b x Q x mu + a x P x nu) mod N, f - (b x Q x (P - mu) + a x P 

x nu) mod N, g « (b x Q x mu + a x P x (Q - nu)) mod N, h - (b x Q x 

(P - mu) + a x P x (Q - nu)) mod N, and then verify that one of e, f, g, 

or h satisfies x A _ B x S - (? mod (S x C)) - (? mod S). _ 

Note 4: Compute x<> = e 2 mod N, x ui = x £ 2 mod N, where i runs from 0 

to t-1, and B t = x t mod 2*, where i runs from 0 to t - 1. 

Note 5: Lein Ham proposes four possible equation pairs for signature 

generation/verification, as indicated below: 



40 
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Signature Generation 



Signature Verification 



(1) rxi-k + s mod (p-1) 

(2) s x x - k + r mod (p-1)) 

(3) x = r x k + s mod (p-1) 

(4) x = s x k ■»- r mod (p-1) 



y 1 - r x a* mod p 
y" - r x a r mod p 

y a f x a* mod p 
y = r* x a 1 mod p 



TABLE 4 



The PKC specification table. _ 
RSA (PK-Encr) PEKE 



DH-Harn 



Public key 
Private key 



Other Para- 
meters 



N - P x Q, e 

P, Q, d, where 
P and Q are 
large random 
primes, and 
d x e mod 
(p.l)CQ-l) = 1 
none 



N = PxQ 
P, Q, where P 
and Q are large 
random primes 
congruent to 3 
modulo 4 
(note 1) 

S, C, k, t, where 
O < C x S < N, 
k < In(N)/In(2) 

random x A _ , Bt 



y = a* mod p 
random x, x < p 



p, a, where p is 
a large prime 
number and a is 
a "generator" 
r, s, where 



In the preparation for later secret key establishment 
instances, the issuer gets a private/public key pair for itself, 
according to the PKC in use. See the PKC specification table 
50 under the row headings "Public key" and "Private key". This 
is a controlled computer operation. The issuer makes the 
issuer private key 205 available in the issuer data processing 
center 300 with the usual security precautions to prevent 
disclosure or unauthorized use. 

Still in the preparation for later secret key establishrubut 
instances, the issuer prepares a set of parameters to be used 
in controlled computer operations by the applicant. In all 
cases, the issuer public key is part of this set of parameters. 
This set of parameters also includes the elements listed 
under the under the row heading "Other parameters" in the 
PKC specification table. This set of parameters may also 
include identification data for the issuer, like the electronic 
mail address where the secret key registration should be 
sent. 

In the preferred embodiment, this set of parameters 
includes additional data for the PEKE cryptosystem 
intended to reduce the computation load for the controlled 
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computer operations by the applicant. This includes the reader/connector is part number DS9092GT which connects 

^ffi^SttaBumbSiS^Ccouldbepctof the Touch Memory ■* ,a scnal port o the _persom,l compiUen 

the first message 103 instead. Still in the preparation for later Some variants of the secret key estabhshment process 

secret key establishment instances, the issuer preferably a first message 103. Tlus is mamly dependent on the PKC in 

the issuer public Key. in me prcLcucu ^ ' 103 fe ^ d ite g ener ation is a controlled computer 

trolled compter operation respectively by the issuer, or by preferred embodiment m e n PEKE ^ used 
this certification authority. As is known from the prior art, a 20 invention, the generation of first message 103 may be 
S of Sy ceStes may be used, in which case assigned to the applicant reg*tration program 100 in which 
seTrity c^LTLy be an inlgral pari of the result of case there is obviously no transmission of the first message 
Z Sanation. Note that with digital signatures, the 103 to the applicant reg.s rat.on program 100. 
Frogbit or a proprietary algorithm may still be used to If PEKE is used .n the present invention and if the 
p otfet the integrity of a certification authority public key. 25 generation of the first message 103 k not done by the issuer, 
Whenever the mentioned transformation is used, its result is the issuer must somehow receive jts contents. One possible 
shown as "sealed public key" 203 in the figures. Still in the arrangement is to let the apphcant registration program 100 
preTaUon for later secret key establishment instances, the include the contents of the first message 103 m the second 
Luer prepares an executable computer program comprising message 104. This .s done m the preferred embod.me^ m 
at least the applicant registration program 100. If the men- 30 which case the generating party affixes reference numbers to 
tioned transformation was not used, the applicant registra- first messages 103 and keeps a log of the first messages 103. 
tion program 100 is compatible with the set of parameters. This allows the issuer to audit the generation of first mes- 
If the mentioned transformation was used, the applicant sages 103. The rationale behind the use of a first message 
registration program 100 is compatible with the sealed 103 is related to subtle weaknesses m cryptographic proto- 
public key 203 and it includes the integrity mechanism 107 35 cols and their implementations. For instance, if the issuer 
that is the programmed reversal of the transformation. If the does not trust the apphcant's processor random source 105, 
SormLf uses Frogbit semi-proprietary algorithm or PK-Encr should be avoided. With DH-Harn a passive 
other proprietary algorithm, the preparation of this execut- eavesdropper to the secret key exchange could notice a 
able program is a controlled computer operation by the failure of the applicant's processor random source where the 
issuer because a secret algorithm and a secret key of the 40 random output would turn out to be constat among a 
issuer must be embedded in the executable program. In the number of instances of secret key exchange With PEKE, 
preferred embodiment, the executable program comprises this is not an issue. The issuer may use discipline in the way 
substantially more application code than just the application first messages 103 are generated to ensure absolute unique- 
registration progr J 100, so its look and feel would be ness or freshness of the secret key generated by instances of 
difficult to reproduce by a defrauder. The executable pro- 45 the secret key exchange. For uniqueness, the issuer should 
gram may be embedded in an electronic apparatus like a tag each first message 103 with a serial number and make 
POS terminal instead of being run by a general purpose sure any serial number is used only once. For freshness the 
computer. In the preferred embodiment, the executable issuer should keep a record of creation times for first 
programisrunbyageneialpurposecomputerandthesealed messages 103 and reject older ones. In the preferred 
public key 203 is stored in a computer file separate from the 50 embodiment, the applicant reg^trahon program 100 is 
executable file trusted to timely request a first message 103 on each instance 

In preparation for later secretkey estabhshment instances, of secret key exchange, and to discard it once used Akc , in 
theapplkanthasorobtainsacopyofanexecutableprogram the preferred embodiment asystem wg ^ ™ndom 
comprising the applicant registration program 100, a copy of source may generate first messages 103, and no speafic 
the sealed public key 203, and a portable memory device 55 track.ng of hrst messages 103 is needed wi n rErJJ, too 
m T?ese P tms ma tak several forms, and may be presence of the number x , protects the .ssuer agains 
combined depending on the variations of the invention. The "chosen ciphertext a tacks" known in tiie >W°<^™« 
"portable" memory device 102 is any memory suitable for a the generation of first message 103 is not done by the Ksuer. 
gLen ipplkatio7 mcSg a plurality of memories if The present invention may be practiced with the finrt mes- 
kev snlittine is used In the preferred embodiment, the so sage 103 be.ng prepared upon request by an applicant, and 
SStL?iyT^is V'U simple small memory including data specific to this applicant. Although this may 
dev£ wtoh can be temporarily connected to a personal enhance the security of the applicant reg*tr P = , it 
Sn^uter using an inexpensive connector, for example the may also increase the admimstraUve workload tetevm* 
Dallas Semiconductor DS1992 lK-Bit Touch Memory An instance of secret key exchange starts with the receipt 

"button" featuring 1024 bits of non-volatile read/write 65 of me first message 103, any, and may proceed wxth the 
memor^'plus a 48 to unique read-only serial number, in a other steps of the apphcant region program 100 when- 
cdn-ske metal casing that can be attached to akey ring. The ever triggered by the applicant. The execution of the other 
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steps of the applicant region program 100 , a con- 

troUed computer operation by the applicant, It .s 0.c appli- part ot me sei^ cryptosystem, the number f being 

cant's digital processor that executes the applicant regtstra- fa ^ second message $ There ^ no signature 

tion program 100. generation from the applicant's digital processor; in other 

An instance of secret key exchange includes, as part of the * oK , s ^ Ham's improvement to the Diffie-Hellman 

applicant registration program 100, the application of mteg- cryp t 0S ystem is applied ooly for the issuer. As is well known 

ruv mechanism 107 to recover public key 204 from scaled in the prior art> the components of the second message 104 

oublic key 203 This is the reversal of the said transforma- prepare d in this way allow the issuer data processing center 

tion that resulted in the "sealed public key" 203. As a t0 r6C0Ve r the internal secret key while protecting it 
consequence of this application of integrity mechanism 107, 1° from adversa ries even if they can eavesdrop on the set ot 

the applicant registration program 100 may abort the parame ters, first message 103, and second message 104. 

instance of secret key exchange. In cases where the integrity without departing from the spirit of the present invention, 

mechanism 107 is not used, the public key 204 is directly Qthel pKCs may be used f ar the local generation of the 

available to the applicant registration program 100 as part of mtcrna i secret key. A likely candidate is any PKC that is a 

the set of parameters. secret key establishment cryptosystem using a public key 

In the case of DH-Harn, an instance of secret key 2 04. For instance, the original Diffic-Hellman cryptosystem 

exchange includes, as part of the applicant registration can be used directly with the same public key as tor the 

program 100 the verification of the Lein Ham intriguing DH-Harn improvement, in which case the internal secret Key 

dieital signature, that is the verification that the numbers s computed as / modp, where e is generated by the random 

and r from the first message 103 satisfy the appropriate ^ stmrce 105, and y and p were part of the set of parameters, 

verification equation. See the PKC specification table under According to the spirit of the present invention, another 

the row heading "Verification of first message". possible arrangement to obtain the internal secret key would 

An instance of secret key exchange also includes, as part re ly on a public/private key 25 P^r of the apphcant tat 

of the applicant registration program 100, the receipt of two would not require certification as in the prior art public key 

tZ* Sv 1 pass query 206 and pass reply 209, 25 cryptography. The presence of this ^bhc/pnvate pa^of 

Zugh keyboard input device 101. According to the spirit ,h e app licant would make the random source 105 unneces^ 

of le present invention, the applicant should choose unique sary. In this alternate scheme, the = issuer public key 204 

tl UnSed secret phrases for these two inputs. Without W0U H be like in the PK-Encr case. The public component of 

Sparing from the spirit of the present invention, the pif x the public/private key pa, of the applicant would be 

query 206 and pass reply 209 can be displayed by the encrypted using the issuer public key 204 and then £ans 

applicant registration program 100 instead of being input mitte d to the issuer data processing centr e 300 where it 

torn the input device 101. Then, randomness and secrecy wou ld be decrypted usmg the ^«P™ te * ^ of the 

should surround the generation of the pass query 206 and the issuer data processmg center 300 the funcUon . of he 
oa^s reply 209 to ensure a logical bind or link between this 35 raDQ om source 105 would be performed, thus generating the 
instance of se«et key exchange and the displayed values for internal secret key as if done by the, applicant registration 

pi que?, 20? nd pass reply 209. program 100 in the PK-Encr case. The internal secret key 

of the hybrid public/secret key cryptographic processing P^P™ » sen P t P back t0 the applican , 
106, the local generation of aninternal secret key according 40 ^^^^SKh« the knowledge of the private 

^^S^M^i^b^^» bits Still according to the PKC in use and as part of ft. hybrid 

?Zfi£^™^vTtot size, hence k-256. The public/secret key cryptographic processung 106, to apph- 

nrefer^d^bodTment for the random source 105 includes cant's digital processor derives die secret key 201 from part 

preferred embodiment lor me * . ^ sccret k ^ denvatl0n may use any 

S^Z^™^^ffi'-»«i«5, unambiguous^*^ 

rcomnuter hard disk protected with the Frogbit data not shared with the issuer data processuig center 300. For 
an instance of secret key exchange. „ J J tc internal secret key distinct from the two parts 
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chosen by the applicant at the time of secret key ^"~™ la ^ ^ththe private key 205 and recovering 
eLblisbment. and the like. This cryp «W« tecUon is PKC n use -^1^^^. to ^ case of PEKE, 
done with secret key cryptographic algorithms, pertly £ 6 for , his mstaoce of lhe secret key exchange to 

with the help of key-less hash functions. This cryptograph* 5 ''Xted as a consequence of a suspected security breach 
protection part or all of the internal ^'^'^ d e t cted durmg Z reversal of the PKC in use. See the PKC 
pass query 206 and the pass reply 209, h.s cryptographic snedficatio^Ible under the row heading "Verification of 
protection is confidentiality and data integrity P»£ %££%Z^Wti PK-Encr, the reversal of the PKC in 
For the other data 108, this cryptographic protecUon may be ^^J^ k A of the ciphertext found in 

what is deserved by a particular applicaUon. Th > resuU „ ^^JJ ^ see , he PKC specification 

ttS^» u ^S^ ST— A - — — " — ^ 

starts with the computation of a Message AuthenUcaUon 15 prc«s*n 306 d en ct k cryptograph ic 

Code(Ii^Qofttep M o^mihep««epjm^ ^™%06.V^vered secret key 202 is stored in the 
the other data 108 if any, using CBC-MAC ^w th tb DBS P£^*»se 303. The secret key status 305 is set to 

applied to the pass query 206, the pass reply 209 and any M be done cry ptographic 

portion of the other data 108 that J^gSSZZSZ* the cryptogr^c prot ec- 

protection, using another part of the '^^ ^^ ^ons initially applied to pass query 206, pass reply 209, and 

Thus, the data elements that go into second message 11H as W v fa for to instance of the 

a result of the cryptographic protection are 1) the cmhertexl P^™^^J?"™, P d ^quence of a 

representation of the encrypted data, 2) the uneacryp ed B secret ^key ^.^^tion. 

po'rtion, if any, of the other data 108, and 3) the calculated query 2 07 and P L reply 

oftheapplicantregistrationprogramlOO^loadingof^ ^ ^ X veStbe issuers identity may be 
r e, key 201 intone port^ 

done by key loader 109 that is any ^^acc, > provides the issuer's agent with the human readable 

S ecretkey201mtothreepartsasfollows:th e keyloaderl09 ^ f ^teTthe key stati 305 may indicate successful 
accepts a local applicant's PIN (that is no : store m be TtegJ ^fj^ identitV; J correspondingly the 
issuer database) through ^J^^^^. * ^Snof ^instance of secretkey exchange according 
first component is calculated askl=hash(PIN) ^wehasb con* invention ^ update 0 f the key status 305 

is a key-less hash function; the key loader gets a componen the failure of this instance of secret key 

k2 from the random source 105 Z^ZX^c^m^y^Uo,^ 

computed as f^^^ SxOT^iettato- 45 bind be'tacen the secret key 202 and the applicant the 

secret_key is the secret key 201 and XOR is toe exclusive 45 processing security should be applied to 

□r operation. The key loader 109 loads the key component known art _of data , pro g y rf ^ m 

k2 into a Dallas Semiconductor DS1 992 memory and loads Je j ™ readable form of the reply 211, 

kj 2STequires 1) knowledge of the local applicant's PIN so through the aaapatiam 

2 ) Les S to q «heDallasSe™ductorDSl 9 92memory,and ^JJ^^^ he' a criticaf design 

3) access to the computer tile. * «iL.; fl ii v if the anolicant's digital processor is a low 
} An instance of secret key exchange also includes, as par .sue, es P - ^y if the I PEKE, the prior 

of the applicant registration program 100, .he sending of P^JJ™^ 'eduction may be applied advanta- 

second message 104 to the issuer data processing center m 55 art oi Momgom y ^ lated varian t of the 

through any ordinary data communications network. Once geo^y m « P s ^ would do tne 

the second message 104 is received in the issuer data f^J^g^ PP ations . J od N " (and respectively 

processing center 300, the reversed cryptography process- J^^^^^ a i go rithm described here- 

tag 306 may be executed for the ms ance of secret key "f^™ 1 ^ ^ population of some values, to 

exchange characterized by the particular second mes»ge 6 o ^^^^^^J^^^^Uibbc 

104. The reversed cryptographic processing 306 * essen- ap p U canfs processor, 

Ually the reversal of the hybrid public/secret key crypto- ^XluchTat b">N (and respectively s such that b*>S). 

graphic processing 106. Even if it is a controlled compute ff'^puted a're b* mod N (and respec 

operation by the issuer, it can be executed with mmm«d sf^ J 0 N „. (and respectively S 0 ') to be 

operator supervision, e.g. as an automated processing upon as Uvelyb mod* ° adv us changc is to 

receipt of an e-mail message containing second message pecified here^ . ^(x^) 
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mod N) mod 2\ the latter being more quickly computed by 
the Montgomery algorithm. 

Montgomery multiplication, in the multiple precision case 
as in the present invention, allows fast modular arithmetic 
for a modulus N relatively prime ta b", where b">N, and 
arithmetic modulo b is easy (e.g. 2 767 <N<2 768 , N is odd 
b=2 8 n=96, so b=2 768 ). Let B-b" (not to be confused with 
B- a notation proper to the PEKE specification). Given T 
satisfying 0<=T<=BxN, the Montgomery reduction algo- 
rithm efficiently computes Tx(B' 1 ) mod N. Our focus is the 
modular multiplication, so let T-x'xy' where x'-xxB mod N 
and y'=yxB mod N; then the Montgomery reduction algo- 
rithm efficiently computes x , xy , x(B" 1 ) mod N-xxyxB mod 
N. 

Let us use the notation M W (X,Y) for the result of 
XxYx(B -1 ) mod N, using the Montgomery reduction algo- 
rithm. Then xxyxB mod N=M^(xxB mod N,yxB mod N). 
To convert an integer x, 0<=x<N, into xxB mod N, compute 
M N Jx,B 2 mod N). The value B 2 mod N should be pre- 
computed once and for all; this must be done with a general 
purpose division operation. To recover x from xxB mod N, 
compute M^(xxB mod N,l). There are two routes to 
complete a single modular multiplication: M N ^(M^x,y)^ 
B 2 mod N)=xxy mod N, or by pre-computing x'«M^(x,B 
mod N) and y'=M^(y,B 2 mod N), and then M^(M^(x\ 
y'),l)-xxy mod N. Whenever a series of multiplications is 
performed on a same set of inputs or intermediate results, the 
latter route is more efficient. This is the case of the PEKE 
cryptosystem whenever the PEKE parameter t is greater than 
1. Moreover, if the PEKE equation is changed as suggested 

n be restated as x'«M^ 

^'-M^fex/), andB ( ._; 



20 

-continued 



10 



for k«-0 to n-1 do 

c :o c+IoaMtCX* x Y k _i +Q t x N k _J; 

c :- c + X k x Y 0 
:= c x N 0 ' mod b; 

c c +Q k xN 0 ; 

c :« c/b; 
for k«-0 to n-1 do 

c :- c+Sk^CXi x Y n+k _i+Qi x N n+k _i); 
c mod b; 

c := lc/bj; 

K c; 
if R§N then 

R :- R-N; 
return R; 
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above the PEKE cryptosystem can be restated as x' 
(x,B 2 mod N), Xo'-M^x'A x, 1 ' ~* ™ 

mod 2 k . 

Now, the internals of the multiprecision Montgomery 35 
multiplication algorithm may be stated. There is a need for 
the value of integer N 1 such that Bx(B- 1 )-NxN , -l, where 
Bx(B _1 ) mod N-1. Actually, only the least significant part of 
N' is needed, hence the definition Nq'-N 1 mod b. We repro- 
duce below the simple algorithm from the above-mentioned 40 
article by Dusse and Kaliski to efficiently find N 0 ' from N 0 
and b, when b is an exact power of two. Thus, N 0 ' can be 
computed once and for all. 



45 



modu]ar_inverse(N,b) 

Let k be such that b=2 k 
t:= 1; 

for i«-2 to k do 

if (N 0 x t mod 2 l )^2 u 
t:« t+2*- 1 ; 
return b - t; 



In the multiprecision Montgomery multiplication algo- 
rithm that follows, capital letters are multi-precision vari- S 5 
ables. The indices are as expected for natural integers, e.g. 
No is the least significant part of N. The algorithm is an 
application of the convolution-sum method for the multipli- 
cation. The variable c is an accumulator with sufficient 



The variable R„ is actually a local storage area of this 
algorithm (like Q and lower case variables). Consequently, 
the storage requirement for R is the same as for X and Y. 
Moreover, if X and Y are the same variable, as in the 
modular squaring operation of the PEKE cryptosystem, the 
storage for X, Y, and R can be the same. 

I claim: 

1. A method of establishing a secret cryptographic key 
shared between an applicant and an issuer comprising the 
steps of: 

providing said applicant with a registration computer 
program means, said registration computer program 
means having a public key of said issuer and public key 
encryption capability; 
generating said secret key using at least some random 

information at an applicant end; 
generating a pass reply message using at least some 

arbitrary information at said applicant end; 
encrypting said secret key and said pass reply using said 
public key to form at least one encryption message, said 
message including information allowing said issuer to 
identify said applicant; 
sending said encryption message to said issuer by tele- 
communications means; 
decrypting said encryption message at an issuer end to 
retrieve said secret key and said pass reply using a 
private key of said issuer; 
receiving a second communication from said applicant at 
said issuer end separate from said encryption message 
over a channel that enables said issuer to ascertain said 
second communication to be genuinely from said 
applicant, said second communication containing said 
pass reply; 

confirming a validity of said secret key at least with said 
issuer if said pass reply received during said second 
communication matches said pass reply decrypted, 
whereby said secret key may be confirmed for use in 
future transactions. 

2. The method according to claim 1, wherein said step of 
confirming comprises displaying said pass reply decrypted 
to an agent at said issuer end. 

3. The method according to claim 1, wherein said step of 



cation The variable c is an accumulator wun suuiiaem inemeLiiuu auuiuiii S ^ r 

caoacitv for a sum of products and multiple carry bits from 60 receiving a communication from said applicant comprises 
the additions (up to 2n of them). tannic communication with an agent at said 



N 0 ':- b-frV 1 mod b); 
c :-0; 



reviving a cumuiuiiiviniv;" r i . , 

establishing telephonic communication with an agent at said 
issuer end and said applicant. 

4. The method according to claim 3, further comprising a 
step of generating a pass query, wherein said step of encrypt- 
65 ing comprises encrypting said pass query, said step of 
decrypting comprises decrypting said pass query, and further 
comprising a step of communicating said pass query to said 
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applicant from said issuer end prior to receiving said pass 
reply in said communication, whereby said applicant is 
reassured that said issuer is genuine as a result of hearing 
said pass query, and feels safe to proceed with giving said 
pass reply. 

5. The method according to claim 4, wherein said step of 
communicating comprises displaying said pass query 
decrypted to said agent. 

6. The method according to claim 3, wherein said agent is 
provided with some personal indentification information 10 
about said applicant, said step of confirming further com- 
prising said agent asking a personal identification question 
to said applicant and listening for a correct response. 

7. The method according to claim 5, wherein said agent is 
provided with some personal indentification information 15 
about said applicant, said step of confirming further com- 
prising said agent asking a personal identification question 
to said applicant and listening for a correct response. 

8. The method according to claim 1, wherein said pass 
reply is input by said applicant. 20 

9. The method according to claim 1, wherein said pass 
reply is displayed to said applicant. 

10. The method according to claim 1, further comprising 
a step of selecting a personal identification number (PIN) for 
said applicant, wherein said step of encrypting farther com- 25 
prises encrypting said PIN, said step of decrypting further 
comprises decrypting said PIN, said PIN being stored at said 
issuer end for use in verification of future transactions, 

11. The method according to claim 1, wherein said 
applicant possesses a smart card device and uses a smart 30 
card device interface connected to said program means, said 
secret key being loaded into said smart card device. 

12. A method of applying for approval of a secret cryp- 
tographic key to be shared between an applicant and an 
issuer comprising the steps of: 

obtaining a registration computer program means, said 
registration computer program means having a public 
key of said issuer and public key encryption capability; 

generating said secret key using at least some random ^ 
information; 

generating a pass reply message using at least some 
arbitrary information; 

encrypting said secret key and said pass reply using said 
public key to form at least one encryption message, said 45 
message including information allowing said issuer to 
identify said applicant; 

sending said encryption message to said issuer by tele- 
communications means; 

communicating said pass reply to said issuer end sepa- 50 
rately from said encryption message over a channel that 
enables said issuer to ascertain said pass reply to be 
genuinely from said applicant, said communication 
containing said pass reply, 

13. The method according to claim 12, wherein said 55 
applicant possesses a smart card device and uses a smart 



35 



card device interface connected to said program means, said 
secret key being loaded into said smart card device. 

14. A method of approving a secret cryptographic key to 
be shared between an applicant and an issuer comprising the 
steps of: 

receiving at least one encryption message from said 
applicant by telecommunications means, said message 
including an encryption of a secret key and a pass reply 
using public key encryption with a public key of said 
issuer, said message including information allowing 
said issuer to identify said applicant;; 
decrypting said encryption message to retrieve said secret 
key and said pass reply using a private key of said 
issuer; 

receiving a second communication from said applicant 
separate from said encryption message over a channel 
that enables said issuer to ascertain said second com- 
munication to be genuinely from said applicant, said 
second communication containing said pass reply; 
confirming a validity of said secret key at least with said 
issuer if said pass reply received during said second 
communication matches said pass reply decrypted, 
whereby said secret key may be confirmed for use in 
future transactions. 
15. A system for establishing a secret cryptographic key 
shared between an applicant and an issuer comprising: 
applicant registration means having a public key of said 
issuer and public key encryption capability for gener- 
ating said secret key using at least some random 
information at an applicant end, for generating a pass 
reply message using at least some arbitrary information 
at said applicant end, and for encrypting said secret key 
and said pass reply using said public key to form at 
least one encryption message, said message including 
information allowing said issuer to identify said appli- 
cant; 

means for sending said encryption message to said issuer 

by telecommunications means; 
means for decrypting said encryption message at an issuer 
end to retrieve said secret key and said pass reply using 
a private key of said issuer; 
means for receiving a second communication from said 
applicant at said issuer end separate from said encryp- 
tion message over a channel that enables said issuer to 
ascertain said second communication to be genuinely 
from said applicant, said second communication con- 
taining said pass reply; 
means for confirming a validity of said secret key at least 
with said issuer if said pass reply received during said 
second communication matches said pass reply 
decrypted, whereby said secret key may be confirmed 
for use in future transactions. 
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